IT Act, 2000  Enacted on 17th May 2000- India is 12th nation in the world to adopt cyber laws  IT Act is based on Model law on e- commerce adopted by UNCITRAL

Objectives of the IT Act To provide legal recognition for transactions:-  Carried out by means of electronic data interchange, and other means of electronic communication, commonly referred to as "electronic commerce“  To facilitate electronic filing of documents with Government agencies and E-Payments  To amend the Indian Penal Code, Indian Evidence Act,1872, the Banker’s Books Evidence Act 1891,Reserve Bank of India Act ,1934

Extent of application  Extends to whole of India and also applies to any offence or contravention there under committed outside India by any person {section 1 (2)} read with Section 75- Act applies to offence or contravention committed outside India by any person irrespective of his nationality, if such act involves a computer, computer system or network located in India  Section 2 (1) (a) –”Access” means gaining entry into ,instructing or communicating with the logical, arithmetic or memory function resources of a computer, computer resource or network

Definitions ( section 2)  "computer" means electronic, magnetic, optical or other high-speed date processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or relates to the computer in a computer system or computer network;  "computer network" means the inter-connection of one or more computers through-  (i) the use of satellite, microwave, terrestrial lime or other communication media; and  (ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained;

Definitions ( section 2)  "computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions;  "data" means a representation of information, knowledge, facts, concepts or instruction which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.

Definitions ( section 2)  "electronic record" means date, record or date generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche;  “secure system” means computer hardware, software, and procedure that- (a) are reasonably secure from unauthorized access and misuse; (b) provide a reasonable level of reliability and correct operation; (c) are reasonably suited to performing the intended function; and (d) adhere to generally accepted security procedures  “security procedure” means the security procedure prescribed by the Central Government under the IT Act, 2000.  secure electronic record – where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification

Act is in applicable to…  (a) a negotiable instrument (Other than a cheque) as defined in section 13 of the Negotiable Instruments Act, 1881;  (b) a power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882;  (c) a trust as defined in section 3 of the Indian Trusts Act, 1882;

Act is in applicable to…  (d) a will as defined in clause (h) of section 2 of the Indian Succession Act, 1925 including any other testamentary disposition  (e) any contract for the sale or conveyance of immovable property or any interest in such property;  (f) any such class of documents or transactions as may be notified by the Central Government

Electronic Commerce  EC transactions over the Internet include  Formation of Contracts  Delivery of Information and Services  Delivery of Content  Future of Electronic Commerce depends on “the trust that the transacting parties place in the security of the transmission and content of their communications”

Electronic World  Electronic document produced by a computer. Stored in digital form, and cannot be perceived without using a computer  It can be deleted, modified and rewritten without leaving a mark  Integrity of an electronic document is “genetically” impossible to verify  A copy is indistinguishable from the original  It can’t be sealed in the traditional way, where the author affixes his signature  The functions of identification, declaration, proof of electronic documents carried out using a digital signature based on cryptography.

Electronic World  Digital signatures created and verified using cryptography  Public key System based on Asymmetric keys An algorithm generates two different and related keys  Public key  Private Key Private key used to digitally sign. Public key used to verify.

Public Key Infrastructure  Allow parties to have free access to the signer’s public key  This assures that the public key corresponds to the signer’s private key  Trust between parties as if they know one another  Parties with no trading partner agreements, operating on open networks, need to have highest level of trust in one another

 Government has to provide the definition of  the structure of PKI  the number of levels of authority and their juridical form (public or private certification)  which authorities are allowed to issue key pairs  the extent to which the use of cryptography should be authorised for confidentiality purposes  whether the Central Authority should have access to the encrypted information; when and how  the key length, its security standard and its time validity Role of the Government

Section 3 Defines Digital Signatures  The authentication to be affected by use of asymmetric crypto system and hash function  The private key and the public key are unique to the subscriber and constitute functioning key pair  Verification of electronic record possible

Secure digital signature-S.15  If by application of a security procedure agreed to by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was: (a) unique to the subscriber affixing it; (b) capable of identifying such subscriber; (c) created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, then such digital signature shall be deemed to be a secure digital signature

Certificate based Key Management  Operated by trusted- third party - CA  Provides Trading Partners Certificates  Notarises the relationship between a public key and its owner CA User A User B CA A B CA A CA B

Essential steps of the digital signature process  STEP 1 The signatory is the authorized holder a unique cryptographic key pair;  STEP 2 The signatory prepares a data message (for example, in the form of an electronic mail message) on a computer;  STEP 3 The signatory prepares a “message digest”, using a secure hash algorithm. Digital signature creation uses a hash result derived from and unique to the signed message;  STEP 4 The signatory encrypts the message digest with the private key. The private key is applied to the message digest text using a mathematical algorithm. The digital signature consists of the encrypted message digest,  STEP 5 The signatory typically attaches or appends its digital signature to the message;  STEP 6 The signatory sends the digital signature and the (unencrypted or encrypted) message to the relying party electronically;

Essential steps of the digital signature process  STEP 7 The relying party uses the signatory’s public key to verify the signatory’s digital signature. Verification using the signatory’s public key provides a level of technical assurance that the message came exclusively from the signatory;  STEP 8 The relying party also creates a “message digest” of the message, using the same secure hash algorithm;  STEP 9 The relying party compares the two message digests. If they are the same, then the relying party knows that the message has not been altered after it was signed. Even if one bit in the message has been altered after the message has been digitally signed, the message digest created by the relying party will be different from the message digest created by the signatory;  STEP 10 Where the certification process is resorted to, the relying party obtains a certificate from the certification service provider (including through the signatory or otherwise), which confirms the digital signature on the signatory’s message. The certificate contains the public key and name of the signatory (and possibly additional information), digitally signed by the certification service provider.

Section 4- Legal recognition of Electronic Records  If any information is required in printed or written form under any law the Information provided in electronic form, which is accessible so as to be usable for subsequent use, shall be deemed to satisfy the requirement of presenting the document in writing or printed form.

Sections 5, 6 & 7  Legal recognition of Digital Signatures  Use of Electronic Records in Government & Its Agencies  Publications of rules and regulations in the Electronic Gazette.  Retention of Electronic Records  Accessibility of information, same format, particulars of dispatch, origin, destination, time stamp ,etc

CCA has to regulate the functioning of CAs in the country by-  Licensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising supervision over their activities.  Certifying the public keys of the CAs, i.e. their Digital Signature Certificates more commonly known as Public Key Certificates (PKCs).  Laying down the standards to be maintained by the CAs,  Addressing the issues related to the licensing process

The licensing process  Examining the application and accompanying documents as provided in sections 21 to 24 of the IT Act, and all the Rules and Regulations there- under;  Approving the Certification Practice Statement(CPS);  Auditing the physical and technical infrastructure of the applicants through a panel of auditors maintained by the CCA.

Licensed Certifying Authorities  Provides services to its subscribers and relying parties as per its certification practice statement (CPS) which is approved by the CCA as part of the licensing procedure.  Identification and authentication  Certificate issuance  Certificate suspension and revocation  Certificate renewal  Notification of certificate-related information  Display of all these on its website  Time-stamping

Section 15- Secure Digital Signatures  If Digital signatures are applied in such a manner that if ER was altered the Digital Signatures would be invalidated then it is called Secured Digital signatures  Unique to subscriber  Identifies the subscriber

Regulation of Certifying Authorities [Chapter IV]  The Central Government may appoint a Controller of Certifying Authority who shall exercise supervision over the activities of Certifying Authorities.  Certifying Authority means a person who has been granted a licence to issue a Digital Signature Certificate. The Controller of Certifying Authority shall have powers to lay down rules, regulations, duties, responsibilities and functions of the Certifying Authority issuing Digital Signature Certificates. The Certifying Authority empowered to issue a Digital Signature Certificate shall have to procure a license from the Controller of Certifying Authority to issue Digital Signature Certificates. The Controller of Certifying Authority has prescribed detailed rules and regulations in the Act, as to the application for license, suspension of license and procedure for grant or rejection of license.

Digital Signature Certificate [Chapter VII]  Any person may make an application to the Certifying Authority for issue of Digital Signature Certificate. The Certifying Authority while issuing such certificate shall certify that it has complied with the provisions of the Act.  The Certifying Authority has to ensure that the subscriber (i.e., a person in whose name the Digital Signature Certificate is issued) holds the private key corresponding to the public key listed in the Digital Signature Certificate and such public and private keys constitute a functioning key pair. The Certifying Authority has the power to suspend or revoke Digital Signature Certificate.

Section 12- Acknowledgement of Receipt  If Originator has not specified particular method- Any communication automated or otherwise or conduct to indicate the receipt  If specified that the receipt is necessary- Then unless acknowledgement has been received Electronic Record shall be deemed to have been never sent  Where ack. not received within time specified or within reasonable time the originator may give notice to treat the Electronic record as though never sent

Section 13- Dispatch of Electronic record  Unless otherwise agreed dispatch occurs when ER enters resource outside the control of originator  If addressee has a designated computer resource , receipt occurs at time ER enters the designated computer, if electronic record is sent to a computer resource of addressee that is not designated , receipt occurs when ER is retrieved by addressee  If no Computer Resource designated- when ER enters Computer Resource of Addressee.  Shall be deemed to be dispatched and received where originator has their principal place of business otherwise at his usual place of residence

Sections 71 & 72  Section – 71:  Offence Name - Misrepresentation to the Controller or the Certifying Authority  Description - Making any misrepresentation to, or suppression of any material fact from, the Controller or the Certifying Authority for obtaining any licence or Digital Signature Certificate, as the case may be.  Penalty - Imprisonment for a term which may extend to 2 years, or with fine up to 1 lakh Rupees, or with both  section – 72:  Offence Name - Penalty for breach of confidentiality and privacy  Description - Any person who, in pursuance of any of the powers conferred under IT Act, has secured access to any electronic record, book, register, correspondence, information or document without the consent of the person concerned discloses such electronic record, book., register, correspondence, information, document to any other person.  Penalty - Imprisonment for a term which may extend to 2 years, or with fine up to 1 lakh Rupees, or with both.

Sections 73 & 74  Section – 73:  Offence Name - Publishing Digital Signature Certificate false in certain particulars  Description - Publishing a Digital Signature Certificate or otherwise making it available to any other person with the knowledge that the Certifying Authority listed in the certificate has not issued it or the subscriber listed in the certificate has not accepted it or the certificate has been revoked or suspended, unless such publication is for the purpose of verifying a digital signature created prior to such suspension or revocation.  Penalty - Imprisonment for a term which may extend to 2 years, or with fine which may extend to 1 lakh Rupees.  Section – 74:  Offence Name - Publication for fraudulent purpose  Description - Creation, publication or otherwise making available a Digital Signature  Certificate for any fraudulent or unlawful purpose  Penalty - Imprisonment for a term which may extend to 2 years, or with fine up to 1 lakh Rupees, or with both. .

Other important provisions of the IT Act, 2000  Sec 48 to 64- prescribes for establishment of Appellate tribunals etc and compounding of contraventions, Appeal to High court within 60 days from decision of Cyber appellate tribunal .  Net work service provider -Section 79- provides for non liability of network service provider in certain cases if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention  Explanation.—For the purposes of this section, — (a) "network service provider" means an intermediary; (b) "third party information" means any information dealt with by a network service provider in his capacity as an intermediary  Section 85- corporate responsibility-offences by companies –directors managers liable unless he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention

Amendments- Indian Evidence Act 1872  Section 3 of the Evidence Act amended to take care of admissibility of ER as evidence along with the paper based records as part of the documents which can be produced before the court for inspection.

Presumptions in law  In any proceedings involving a secure electronic record, the court shall presume, unless contrary is proved, that the secure electronic record has not been altered since the specific point of time, to which the secure status relates

Presumptions in law  The law also presumes that in any proceedings, involving secure digital signature, the court shall presume, unless the contrary is proved, that the secure digital signature is affixed by the subscriber with the intention of signing or approving the electronic record

Societe Des products Nestle SA case 2006 (33 ) PTC 469 & State v Mohd Afzal, 2003 (7) AD (Delhi)1  By virue of provision of Section 65A, the contents of electronic records may be proved in evidence by parties in accordance with provision of 65B.  Held- Sub section (1) of section 65b makes admissible as a document, paper print out of electronic records stored in optical or magnetic media produced by a computer subject to fulfillment of conditions specified in subsection 2 of Section 65B . a) The computer from which the record is generated was regularly used to store or process information in respect of activity regularly carried on by person having lawful control over the period, and relates to the period over which the computer was regularly used. b) Information was fed in the computer in the ordinary course of the activities of the person having lawful control over the computer. c) The computer was operating properly, and if not, was not such as to affect the electronic record or its accuracy. d) Information reproduced is such as is fed into computer in the ordinary course of activity.

Important issues to ponder..IT Act is incomplete??  DS Should not be technology specific but technology neutral- namely asymmetric crypto system and hash function  Domain Names and rights of domain name owners and squatting  IPR issues not addressed  SPAM issues

Information Technology Act 2000- An overview Date: 27th ...

These presentations are classified and categorized, so you will always find everything clearly laid out and in context.
You are watching Information technology-act2000-120112080011-phpapp02 2 presentation right now. We are staying up to date!